CVE-2022-50295: io_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd()
In the Linux kernel, the following vulnerability has been resolved:
io_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd()
Syzkaller produced the below call trace:
BUG: KASAN: null-ptr-deref in io_msg_ring+0x3cb/0x9f0
Write of size 8 at addr 0000000000000070 by task repro/16399
CPU: 0 PID: 16399 Comm: repro Not tainted 6.1.0-rc1 #28
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7
Call Trace:
<TASK>
dump_stack_lvl+0xcd/0x134
? io_msg_ring+0x3cb/0x9f0
kasan_report+0xbc/0xf0
? io_msg_ring+0x3cb/0x9f0
kasan_check_range+0x140/0x190
io_msg_ring+0x3cb/0x9f0
? io_msg_ring_prep+0x300/0x300
io_issue_sqe+0x698/0xca0
io_submit_sqes+0x92f/0x1c30
__do_sys_io_uring_enter+0xae4/0x24b0
....
RIP: 0033:0x7f2eaf8f8289
RSP: 002b:00007fff40939718 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2eaf8f8289
RDX: 0000000000000000 RSI: 0000000000006f71 RDI: 0000000000000004
RBP: 00007fff409397a0 R08: 0000000000000000 R09: 0000000000000039
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004006d0
R13: 00007fff40939880 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Kernel panic - not syncing: panic_on_warn set ...
We don't have a NULL check on file_ptr in io_msg_send_fd() function,
so when file_ptr is NUL src_file is also NULL and get_file()
dereferences a NULL pointer and leads to above crash.
Add a NULL check to fix this issue.
This Linux kernel flaw can let a local workload trigger a NULL pointer dereference in io_uring message-ring handling, causing a kernel crash under the reported conditions. The business impact is availability risk, not confirmed data theft or remote compromise in the supplied sources.
Executive priority
Treat this as a focused availability patching item. It is not supported as internet-remote or actively exploited in the supplied sources, but kernel crashes on shared infrastructure can still disrupt services.
Technical view
The issue is missing NULL validation for file_ptr in io_msg_send_fd(). When file_ptr is NULL, src_file is NULL and get_file() dereferences it, producing a KASAN null-ptr-deref in io_msg_ring. Kernel stable commits add the NULL check.
Likely exposure
Exposure is most likely on Linux systems running affected kernel versions identified in the bundle, including 6.0, 6.0.6, and 6.1. Risk is higher where untrusted local users, services, or container workloads can exercise io_uring.
Exploitation context
The bundle says Syzkaller produced a crash trace. It does not cite public exploitation, weaponized proof-of-concept activity, or CISA KEV listing. Active exploitation should not be assumed from the provided evidence.
Researcher notes
Evidence is strong for root cause and fix direction, but incomplete for CVSS, CWE, distro-specific ranges, and exploit prerequisites. Validate exact exposure against vendor kernel trees because distribution backports may not match upstream version numbers.
Mitigation direction
Update to a kernel containing the referenced stable fixes or vendor backports.
Check Linux distribution advisories for package names and fixed kernel builds.
Prioritize shared hosts and container platforms with untrusted local workloads.
If patching is delayed, follow vendor guidance for temporary exposure reduction.
Avoid direct wrangler or deployment assumptions; this is a kernel maintenance issue.
Validation and detection
Inventory Linux kernel versions across servers, containers hosts, and appliances.
Confirm whether installed kernels include either referenced stable commit or a vendor backport.
Review kernel logs for io_msg_ring, io_msg_send_fd, NULL dereference, or panic traces.
Identify systems allowing untrusted local users or workloads to use io_uring.
Track vendor advisories until affected version ranges are clarified for your distribution.
Based on public source material and reviewed before publication.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50295 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
3Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Sep 15, 2025, 14:45 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.